Cyber-Attacks: Understanding Vulnerabilities and Creating Awareness
Published on : Wednesday 03-02-2021
Any single vulnerability can prove fatal to the whole organisation, says Suneet Pahwa, stressing the importance of creating awareness.
The year 2020 has been a transformative year for a lot of organisations – from moving workforce from office (or fields) to remote and distributed locations. Technology adoption has happened at such a fast pace that some experts believe that years of digital adoption was done within a few months of the pandemic. Organisations within and outside of India have now started thinking about technology, not from a cost savings or operational efficiency perspective, but from organisation’s strategy perspective. However, there has been a downside to this rapid digital adoption, i.e., the increase in cyber threats. According to DSCI’s discussions with CISOs and CIOs across sectors in 2020, the increase in cyber threats is attributed to the lack of understanding of cybersecurity and the speed of the digital adoption without analysing the impact of integration of various technologies and resulting vulnerabilities, and availability of talent with desired skill set. Additionally, the increase in attack surface due to next-gen technology adoption has also played a significant role in increasing the cyber threats.
A closer look at Vulnerabilities and Cyber-attacks
In 2020 alone, India witnessed a sharp increase in cyber-attacks. According to an article that appeared in Inc42 publication, about four lakh pieces of malwares were found on an average per day and on an average 375 cyber-attacks happened daily in India1. India’s manufacturing sector, for example, witnessed 41,000 intrusions2 in January-June 2020; an increase by 6000 in number compared to the same period in 2019. Following figure attempts to show some of the vulnerabilities and attacks that have impacted Indian businesses.
In addition to the direct threats brought as a result of digital transformation, there is an aspect of physical security of assets and personnel that is often overlooked. In 2018, Microsoft and Accenture3 conducted a joint survey with more than 200 industry leaders for understanding how critical physical security is in the era of digital transformation. The report concluded that even though the leaders understood risk management in digital enterprise, they lacked the understanding of physical security of personnel and assets. Additionally, there is a risk to the physical security of personnel and assets, as a result of system malfunction.
Insider threat is another threat to the OT sector (including industrial plant). According to the latest report on Insider threat by Verizon, manufacturing is among the five industries4 with the highest number of insider threats. The average cost of insider threat to a manufacturing organisation (with more than 1000 employees) is about USD 8.86 million.
Additional challenges brought by Covid-19
The year 2020 has also changed the way we work on a daily basis, and this change has resulted in many new challenges from an employee perspective. Some of the recurring challenges that have come up during our industry roundtables are as follows:
1. Cybersecurity awareness across the board: There is significant lack of understanding when it comes to cybersecurity awareness. This is commonly seen across multiple sectors.
2. Dated Cybersecurity and operational guidelines: Cyber policies (including BYOD) need revision, as the way organisations are operating has changed in the past few months. In some of the cases, these guidelines have been written from a subject-matter expert perspective. However, given the vast scale of threats and vulnerabilities, cybersecurity guidelines must also address people on the manufacturing floor.
3. Business resiliency: Business resiliency must include Business Continuity Planning/Disaster Recovery (BCP/DR) testing and planning. In our observation, the companies that have well tested their plans, responded to the lockdown effectively than those who did not test the plans effectively. The leaders also felt that such plans must be more hands-on and must consider the exhaustive scenarios.
4. Network monitoring: Monitoring has become a challenge for many organisation’s IT departments. Many leaders believe that the “noise” in the network traffic has increased significantly. Organisations should invest in infrastructure to fine tune the monitoring activities.
5. Data loss: Data privacy and data loss have been leading focus areas before Covid-19 as well. However, the distributed workforce model has escalated the challenge due to lack of controls.
The illustration summarises these (and some more) challenges, as they have come up in various discussions DSCI has had during 2020.
Approach to cybersecurity
In April 2020, NCIIPC came up with “Building resilience against cyber-attacks during Covid-19 crisis” guideline document. The guidelines provide comprehensive understanding across five dimensions from employee perspective, as shown in the figure below:
The document also goes beyond these points into the role leadership plays, and approach to the risk assessment. From various discussions that DSCI has been leading, each organisation must focus on three dimensions – Business resiliency, Technology controls and Cybersecurity awareness.
1. Business continuity and disaster management: Planning is one of the ways in which organisations can achieve business resilience. According to DSCI’s Security Framework (DSF)5, following parameters help to assess the maturity of BCP/DR management:
a. Visibility over BCP/DR readiness. This can be achieved using analytical approach
b. Business aligned – BCP/DR must be in context to the business requirement
c. The infrastructure team must move its focus from tactical issues to more strategic ones
d. The plans created under BCP/DR program must be repeatedly tested under various scenarios
e. The plans must be actionable and integrative (that is – all dependencies and relations must be clearly outlined), and
f. Define operational metrics to measure the success and failures.
A detailed approach to a better BCP/DR plan is discussed below:
i. Identify the scenarios that can have impact on the business. Prepare the consolidated list of such scenarios. Ensure that the asset repository across the organisation is complete and up to date.
ii. Conduct Business Impact Analysis (BIA) to provide inputs on enterprise recovery objectives.
iii. Develop the complete strategy for business recovery, as per identified scenarios and identified assets and BIA results.
iv. Ensure end-to-end testing of the BCP/DR plans at regular intervals. As stated previously, these plans must be thoroughly tested and must be written in such a way that these plans are actionable. Additionally, since these plans will be instrumental in an organisation’s resiliency, all the leading business units such as GRC, HR, Finance, Administration etc. must be consulted.
v. From technology and data perspective, ensure that the redundant measures are implemented across the IT infrastructure – network, servers, data centres and endpoints. These are largely based on identification of hot sites, warm sites and cold sites. Data must be backed-up regularly, keeping business metrics in mind (AIW, RTO, RPO etc.).
2. Technology controls: At technology control level, organisations must focus on two aspects – Data security and technical infrastructure. The IT and OT security leaders must evaluate the changing threat landscape and new technology developments happening. For instance, during 2020, we have seen organisations across sectors are evaluating adoption of architecture level changes. This is due to distributed workforce and hence there is a need for organisations to focus on gaining trust at device, user, session, application, and data level. One of the approaches could be to adopt Zero-Trust architecture, which is based on the premise of “Never trust, always verify”. Re-evaluate the access rights of employees to the corporate information and follow the principle of least privilege.
Organisations must also evaluate the segmentation of the network. There must be clear segregation between IT network and OT network, so that any vulnerability in the IT network does not provide an opportunity for attackers to move laterally and exploit the OT/plant network. Various next generation firewall solutions can help create the desired segregation.
3. Cybersecurity awareness: Any single vulnerability can prove fatal to the whole organisation, and hence, in addition to ensuring that the awareness training is complete in terms of new technologies and associated controls, the training must also be comprehensive to cover the desired depth, as required for various roles. Additionally, the awareness training plays a definitive role in defining the cybersecurity/cyber risk culture. Awareness training should include (not limited to) phishing awareness campaign, IT-use best practices across the organisation, scenario-based cybersecurity training, etc. With these approaches, organisations will have better understanding of the threats around them and be better prepared to handle and respond to an unforeseen incident.
Data Security Council of India (DSCI) is a not-for-profit, industry body on data protection in India, setup by NASSCOM®, committed towards making cyberspace safe, secure and trusted by establishing best practices, standards and initiatives in cyber security and privacy. DSCI works together with the Government and their agencies, law enforcement agencies, industry sectors including IT-BPM, BFSI, CII, Telecom, industry associations, data protection authorities and think tanks for public advocacy, thought leadership, capacity building and outreach initiatives. For more information, visit: www.dsci.in
1 Inc42 article - https://inc42.com/buzz/india-hit-by-375-cyberattacks-daily-in-2020-says-pant/
2 CrowdStrike OverWatch report 2020 and Manufacturing India - https://www.manufacturingtodayindia.com/people/9182-cybersecurity-the-invisible-threat-to-the-manufacturingsector
Not Exhaustive; Source: Press Search, Cyware and CERT-In
3 The future of physical security - https://www.accenture.com/_acnmedia/PDF-100/Accenture-Future-of-PhysicalSecurity-Whitepaper.pdf
4 Industry Week - https://www.industryweek.com/technology-and-iiot/article/22027503/insider-threatsmanufacturings-silent-scourge
5 DSCI Security Framework - https://www.dsci.in/sites/default/files/DSF.pdf
Suneet Pahwa, currently Deputy Director at DSCI (NASSCOM), is an experienced professional with over 14 years of experience, with over a decade spent on solving client problems in Cybersecurity around the globe. He brings a vast experience in product management, client delivery, business development and industry liaison, public speaking and people management, having led global engagements in banking and insurance sector. He has been an advisor to enterprises in the arena of digital transformation, cyber maturity assessment and cyber risk prioritisation.
In his current appointment, Suneet is responsible for program management and stakeholder management (both internal and external) – ensuring quality delivery of Government funded projects, expanding reach of India’s Cybertech. Repository (TechSagar) by ensuring regular enhancements that are relevant for its user community, driving industry discussions on all current cyber-security topic with CISOs and CIOs, and ensuring successful events such as NASSCOM-DSCI’s Annual Information Security Summit (AISS) and Best Practice Meet (BPM). He works closely with DSCI’s CEO and VP on critical areas such as sponsorships and technical team priorities.
Prior to joining DSCI, he served as Cybersecurity Knowledge Specialist at McKinsey & Company for over 7 years, where his consulting engagements provided him problem solving skill set and exposure to various business cultures outside of India.
Suneet holds a B.E. in Electronics & Communication from Manipal University, Karnataka and M.B.A. from Purdue University (USA). Over these years, he has earned many certifications such as ISACA’s CISM, ITIL v3 Expert, ISO 27001 lead auditor and PRINCE2 Practitioner. He recently completed “Advanced course in Machine Learning using Python” (online) from IIT Madras and Confederation of Indian Industry (CII).